SHA256
1
0
forked from pool/openssh
OBS User unknown 2007-03-15 00:56:27 +00:00 committed by Git OBS Bridge
parent cdaa9ffb7a
commit d4de5c0c42
25 changed files with 170 additions and 144 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1b2826c2c9b94cd2c2c441a3acf2b0f954b8556a0db6aa938cac13c44504e186
size 776871

View File

@ -63,7 +63,7 @@
/*
* Close all listening sockets
@@ -941,6 +997,7 @@
@@ -942,6 +998,7 @@
int ret, listen_sock, on = 1;
struct addrinfo *ai;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@ -71,7 +71,7 @@
for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
@@ -986,6 +1043,13 @@
@@ -987,6 +1044,13 @@
continue;
}
listen_socks[num_listen_socks] = listen_sock;

View File

@ -1,5 +1,94 @@
--- openssh-4.5p1/loginrec.c.audit 2006-09-07 14:57:54.000000000 +0200
+++ openssh-4.5p1/loginrec.c 2006-12-21 12:17:35.000000000 +0100
# add support for Linux audit (FATE #120269)
--- openssh-4.6p1/Makefile.in
+++ openssh-4.6p1/Makefile.in
@@ -45,6 +45,7 @@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
LIBS=@LIBS@
LIBSELINUX=@LIBSELINUX@
+LIBAUDIT=@LIBAUDIT@
SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@
LIBPAM=@LIBPAM@
@@ -139,7 +140,7 @@
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(SSHDLIBS) $(LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
--- openssh-4.6p1/auth.c
+++ openssh-4.6p1/auth.c
@@ -286,6 +286,12 @@
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
# endif
#endif
+#if HAVE_LINUX_AUDIT
+ if (authenticated == 0 && !authctxt->postponed) {
+ linux_audit_record_event(-1, authctxt->user, NULL,
+ get_remote_ipaddr(), "sshd", 0);
+ }
+#endif
#ifdef SSH_AUDIT_EVENTS
if (authenticated == 0 && !authctxt->postponed)
audit_event(audit_classify_auth(method));
@@ -492,6 +498,10 @@
record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh");
#endif
+#ifdef HAVE_LINUX_AUDIT
+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
+ "sshd", 0);
+#endif
#ifdef SSH_AUDIT_EVENTS
audit_event(SSH_INVALID_USER);
#endif /* SSH_AUDIT_EVENTS */
--- openssh-4.6p1/config.h.in
+++ openssh-4.6p1/config.h.in
@@ -1305,6 +1305,9 @@
/* Define if you want SELinux support. */
#undef WITH_SELINUX
+/* Define if you want Linux audit support. */
+#undef HAVE_LINUX_AUDIT
+
/* Define to 1 if your processor stores words with the most significant byte
first (like Motorola and SPARC, unlike Intel and VAX). */
#undef WORDS_BIGENDIAN
--- openssh-4.6p1/configure.ac
+++ openssh-4.6p1/configure.ac
@@ -3170,6 +3170,20 @@
)
AC_SUBST(LIBSELINUX)
+# Check whether user wants Linux audit support
+LINUX_AUDIT_MSG="no"
+LIBAUDIT=""
+AC_ARG_WITH(linux-audit,
+ [ --with-linux-audit Enable Linux audit support],
+ [ if test "x$withval" != "xno" ; then
+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
+ LINUX_AUDIT_MSG="yes"
+ AC_CHECK_HEADERS(libaudit.h)
+ LIBAUDIT="-laudit"
+ fi
+ ])
+AC_SUBST(LIBAUDIT)
+
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
AC_ARG_WITH(kerberos5,
@@ -3990,6 +4004,7 @@
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
+echo " Linux audit support: $LINUX_AUDIT_MSG"
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
--- openssh-4.6p1/loginrec.c
+++ openssh-4.6p1/loginrec.c
@@ -175,6 +175,10 @@
#include "auth.h"
#include "buffer.h"
@ -84,8 +173,8 @@
/**
** Low-level libutil login() functions
**/
--- openssh-4.5p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200
+++ openssh-4.5p1/loginrec.h 2006-12-21 12:17:35.000000000 +0100
--- openssh-4.6p1/loginrec.h
+++ openssh-4.6p1/loginrec.h
@@ -127,5 +127,9 @@
char *line_abbrevname(char *dst, const char *src, int dstsize);
@ -96,91 +185,3 @@
+#endif /* HAVE_LINUX_AUDIT */
#endif /* _HAVE_LOGINREC_H_ */
--- openssh-4.5p1/Makefile.in.audit 2006-10-23 23:44:47.000000000 +0200
+++ openssh-4.5p1/Makefile.in 2006-12-21 12:19:39.000000000 +0100
@@ -45,6 +45,7 @@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
LIBS=@LIBS@
LIBSELINUX=@LIBSELINUX@
+LIBAUDIT=@LIBAUDIT@
SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@
LIBPAM=@LIBPAM@
@@ -139,7 +140,7 @@
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(SSHDLIBS) $(LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
--- openssh-4.5p1/config.h.in.audit 2006-11-07 14:07:01.000000000 +0100
+++ openssh-4.5p1/config.h.in 2006-12-21 12:17:35.000000000 +0100
@@ -1305,6 +1305,9 @@
/* Define if you want SELinux support. */
#undef WITH_SELINUX
+/* Define if you want Linux audit support. */
+#undef HAVE_LINUX_AUDIT
+
/* Define to 1 if your processor stores words with the most significant byte
first (like Motorola and SPARC, unlike Intel and VAX). */
#undef WORDS_BIGENDIAN
--- openssh-4.5p1/configure.ac.audit 2006-12-21 12:17:34.000000000 +0100
+++ openssh-4.5p1/configure.ac 2006-12-21 12:17:35.000000000 +0100
@@ -3161,6 +3161,20 @@
)
AC_SUBST(LIBSELINUX)
+# Check whether user wants Linux audit support
+LINUX_AUDIT_MSG="no"
+LIBAUDIT=""
+AC_ARG_WITH(linux-audit,
+ [ --with-linux-audit Enable Linux audit support],
+ [ if test "x$withval" != "xno" ; then
+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
+ LINUX_AUDIT_MSG="yes"
+ AC_CHECK_HEADERS(libaudit.h)
+ LIBAUDIT="-laudit"
+ fi
+ ])
+AC_SUBST(LIBAUDIT)
+
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
AC_ARG_WITH(kerberos5,
@@ -3982,6 +3996,7 @@
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
+echo " Linux audit support: $LINUX_AUDIT_MSG"
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
--- openssh-4.5p1/auth.c.audit 2006-10-27 17:10:16.000000000 +0200
+++ openssh-4.5p1/auth.c 2006-12-21 12:17:35.000000000 +0100
@@ -286,6 +286,12 @@
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
# endif
#endif
+#if HAVE_LINUX_AUDIT
+ if (authenticated == 0 && !authctxt->postponed) {
+ linux_audit_record_event(-1, authctxt->user, NULL,
+ get_remote_ipaddr(), "sshd", 0);
+ }
+#endif
#ifdef SSH_AUDIT_EVENTS
if (authenticated == 0 && !authctxt->postponed)
audit_event(audit_classify_auth(method));
@@ -492,6 +498,10 @@
record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh");
#endif
+#ifdef HAVE_LINUX_AUDIT
+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
+ "sshd", 0);
+#endif
#ifdef SSH_AUDIT_EVENTS
audit_event(SSH_INVALID_USER);
#endif /* SSH_AUDIT_EVENTS */

View File

@ -1,5 +1,5 @@
--- openssh-4.5p1/sshd.8
+++ openssh-4.5p1/sshd.8
--- openssh-4.6p1/sshd.8
+++ openssh-4.6p1/sshd.8
@@ -739,7 +739,7 @@
The file format is described in
.Xr moduli 5 .
@ -28,9 +28,9 @@
.Xr sshd_config 5 ,
.Xr inetd 8 ,
.Xr sftp-server 8
--- openssh-4.5p1/sshd_config.5
+++ openssh-4.5p1/sshd_config.5
@@ -169,9 +169,6 @@
--- openssh-4.6p1/sshd_config.5
+++ openssh-4.6p1/sshd_config.5
@@ -167,9 +167,6 @@
By default, no banner is displayed.
.It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed.
@ -40,7 +40,7 @@
The default is
.Dq yes .
.It Cm Ciphers
@@ -384,7 +381,7 @@
@@ -382,7 +379,7 @@
.Pp
.Pa /etc/hosts.equiv
and

View File

@ -1,9 +1,5 @@
# Load drivers for available hardware crypto accelerators.
# -- mludvig@suse.cz
Index: openssh-3.8p1/ssh-add.c
================================================================================
--- openssh-4.5p1/ssh-add.c
+++ openssh-4.5p1/ssh-add.c
--- openssh-4.6p1/ssh-add.c
+++ openssh-4.6p1/ssh-add.c
@@ -42,6 +42,7 @@
#include <sys/param.h>
@ -23,8 +19,8 @@ Index: openssh-3.8p1/ssh-add.c
/* At first, get a connection to the authentication agent. */
ac = ssh_get_authentication_connection();
if (ac == NULL) {
--- openssh-4.5p1/ssh-agent.c
+++ openssh-4.5p1/ssh-agent.c
--- openssh-4.6p1/ssh-agent.c
+++ openssh-4.6p1/ssh-agent.c
@@ -51,6 +51,7 @@
#include <openssl/evp.h>
@ -33,7 +29,7 @@ Index: openssh-3.8p1/ssh-add.c
#include <errno.h>
#include <fcntl.h>
@@ -1044,6 +1045,10 @@
@@ -1043,6 +1044,10 @@
SSLeay_add_all_algorithms();
@ -44,8 +40,8 @@ Index: openssh-3.8p1/ssh-add.c
__progname = ssh_get_progname(av[0]);
init_rng();
seed_rng();
--- openssh-4.5p1/ssh-keygen.c
+++ openssh-4.5p1/ssh-keygen.c
--- openssh-4.6p1/ssh-keygen.c
+++ openssh-4.6p1/ssh-keygen.c
@@ -21,6 +21,7 @@
#include <openssl/evp.h>
@ -54,8 +50,8 @@ Index: openssh-3.8p1/ssh-add.c
#include <errno.h>
#include <fcntl.h>
@@ -1074,6 +1075,11 @@
__progname = ssh_get_progname(av[0]);
@@ -1073,6 +1074,11 @@
__progname = ssh_get_progname(argv[0]);
SSLeay_add_all_algorithms();
+
@ -63,11 +59,11 @@ Index: openssh-3.8p1/ssh-add.c
+ ENGINE_load_builtin_engines();
+ ENGINE_register_all_complete();
+
log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
init_rng();
--- openssh-4.5p1/ssh-keysign.c
+++ openssh-4.5p1/ssh-keysign.c
--- openssh-4.6p1/ssh-keysign.c
+++ openssh-4.6p1/ssh-keysign.c
@@ -38,6 +38,7 @@
#include <openssl/evp.h>
#include <openssl/rand.h>
@ -88,8 +84,8 @@ Index: openssh-3.8p1/ssh-add.c
for (i = 0; i < 256; i++)
rnd[i] = arc4random();
RAND_seed(rnd, sizeof(rnd));
--- openssh-4.5p1/ssh.c
+++ openssh-4.5p1/ssh.c
--- openssh-4.6p1/ssh.c
+++ openssh-4.6p1/ssh.c
@@ -72,6 +72,7 @@
#include <openssl/evp.h>
@ -109,8 +105,8 @@ Index: openssh-3.8p1/ssh-add.c
/* Initialize the command to execute on remote host. */
buffer_init(&command);
--- openssh-4.5p1/sshd.c
+++ openssh-4.5p1/sshd.c
--- openssh-4.6p1/sshd.c
+++ openssh-4.6p1/sshd.c
@@ -75,6 +75,7 @@
#include <openssl/bn.h>
#include <openssl/md5.h>
@ -119,7 +115,7 @@ Index: openssh-3.8p1/ssh-add.c
#ifdef HAVE_SECUREWARE
#include <sys/security.h>
#include <prot.h>
@@ -1444,6 +1445,10 @@
@@ -1445,6 +1446,10 @@
SSLeay_add_all_algorithms();

View File

@ -153,16 +153,16 @@ Index: auth2-gss.c
sDeprecated, sUnsupported
@@ -351,9 +354,11 @@
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_GLOBAL },
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+ { "gssapienablemitmattack", sGssEnableMITM },
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_GLOBAL },
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapienablemitmattack", sUnsupported },
#endif
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_GLOBAL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_GLOBAL },
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
@@ -877,6 +882,10 @@
case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;

View File

@ -1,5 +1,5 @@
--- openssh-4.5p1/misc.c
+++ openssh-4.5p1/misc.c
--- openssh-4.6p1/misc.c
+++ openssh-4.6p1/misc.c
@@ -186,6 +186,29 @@
return (old);
}
@ -39,8 +39,8 @@
fatal("tilde_expand_filename: No such uid %d", uid);
if (strlcpy(ret, pw->pw_dir, sizeof(ret)) >= sizeof(ret))
--- openssh-4.5p1/misc.h
+++ openssh-4.5p1/misc.h
--- openssh-4.6p1/misc.h
+++ openssh-4.6p1/misc.h
@@ -34,6 +34,7 @@
char *tohex(const void *, size_t);
void sanitise_stdfd(void);
@ -49,8 +49,8 @@
struct passwd *pwcopy(struct passwd *);
typedef struct arglist arglist;
--- openssh-4.5p1/ssh.c
+++ openssh-4.5p1/ssh.c
--- openssh-4.6p1/ssh.c
+++ openssh-4.6p1/ssh.c
@@ -249,7 +249,7 @@
}
#endif

View File

@ -8,7 +8,7 @@
logit("Received SIGHUP; restarting.");
close_listen_socks();
close_startup_pipes();
@@ -1317,7 +1318,11 @@
@@ -1318,7 +1319,11 @@
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
compat_init_setproctitle(ac, av);

View File

@ -1,6 +1,6 @@
--- ssh-agent.c
+++ ssh-agent.c
@@ -1127,8 +1127,18 @@
@@ -1126,8 +1126,18 @@
parent_pid = getpid();
if (agentsocket == NULL) {

3
openssh-4.6p1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c19f14140fbbbf912b9a033e961910ab5510a6c625bbd1a443e7aa9bbe6c09b9
size 781338

View File

@ -1,5 +1,5 @@
#
# spec file for package openssh-askpass-gnome (Version 4.5p1)
# spec file for package openssh-askpass-gnome (Version 4.6p1)
#
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
@ -14,8 +14,8 @@ Name: openssh-askpass-gnome
BuildRequires: gtk2-devel krb5-devel opensc-devel openssh openssl-devel pam-devel tcpd-devel update-desktop-files
License: Other License(s), see package
Group: Productivity/Networking/SSH
Version: 4.5p1
Release: 19
Version: 4.6p1
Release: 1
Requires: openssh = %{version} openssh-askpass = %{version}
Autoreqprov: on
Summary: A GNOME-Based Passphrase Dialog for OpenSSH

View File

@ -1,6 +1,6 @@
--- configure.ac
+++ configure.ac
@@ -3220,7 +3220,14 @@
@@ -3237,7 +3237,14 @@
K5LIBS="-lgssapi $K5LIBS" ],
[ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context,
[ AC_DEFINE(GSSAPI)

View File

@ -1,3 +1,19 @@
-------------------------------------------------------------------
Mon Mar 12 10:56:31 CET 2007 - anicka@suse.cz
- update to 4.6p1
* sshd now allows the enabling and disabling of authentication
methods on a per user, group, host and network basis via the
Match directive in sshd_config.
* Allow multiple forwarding options to work when specified in a
PermitOpen directive
* Clear SIGALRM when restarting due to SIGHUP. Prevents stray
signal from taking down sshd if a connection was pending at
the time SIGHUP was received
* hang on exit" when background processes are running at the
time of exit on a ttyful/login session
* some more bugfixes
-------------------------------------------------------------------
Mon Mar 5 11:03:41 CET 2007 - anicka@suse.cz

View File

@ -1,5 +1,5 @@
#
# spec file for package openssh (Version 4.5p1)
# spec file for package openssh (Version 4.6p1)
#
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
@ -28,8 +28,8 @@ Requires: /bin/netstat
PreReq: /usr/sbin/groupadd /usr/sbin/useradd %insserv_prereq %fillup_prereq /bin/mkdir /bin/cat permissions
Conflicts: nonfreessh
Autoreqprov: on
Version: 4.5p1
Release: 19
Version: 4.6p1
Release: 1
%define xversion 1.2.4.1
Summary: Secure Shell Client and Server (Remote Login Program)
URL: http://www.openssh.com/
@ -283,7 +283,7 @@ rm -rf $RPM_BUILD_ROOT
%dir /etc/slp.reg.d
/etc/slp.reg.d/ssh.reg
/var/adm/fillup-templates/sysconfig.ssh
%{_fwdefdir}/sshd
%config %{_fwdefdir}/sshd
%files askpass
%defattr(-,root,root)
@ -294,6 +294,19 @@ rm -rf $RPM_BUILD_ROOT
%config %_appdefdir/SshAskpass
%changelog
* Mon Mar 12 2007 - anicka@suse.cz
- update to 4.6p1
* sshd now allows the enabling and disabling of authentication
methods on a per user, group, host and network basis via the
Match directive in sshd_config.
* Allow multiple forwarding options to work when specified in a
PermitOpen directive
* Clear SIGALRM when restarting due to SIGHUP. Prevents stray
signal from taking down sshd if a connection was pending at
the time SIGHUP was received
* hang on exit" when background processes are running at the
time of exit on a ttyful/login session
* some more bugfixes
* Mon Mar 05 2007 - anicka@suse.cz
- fix path for firewall definition
* Thu Mar 01 2007 - anicka@suse.cz